Home      Products & Services      Contact Us      Links

WebHatchers will design & develop your site for you.

Website Menu Heaven: menus, buttons, etc.

Send us your questions.

site search by freefind

SEO, Google, Privacy
   and Anonymity
Browser Insanity
Popups and Tooltips
Free Website Search
HTML Form Creator
Buttons and Menus
Image Uploading
Website Poll
IM and Texting
   or Not MySQL
Personal Status Boards
Content Management
Article Content
   Management Systems
Website Directory
   CMS Systems
Photo Gallery CMS
Forum CMS
Blog CMS
Customer Records
   Management CMS
Address Book CMS
Private Messaging CMS
Chat Room CMS
JavaScript Charts
   and Graphs

Free Personal Status Boards (PSB™)

Free Standard Free PSB

Free PSB Pro Version

Free Social PSB

Free Social PSB Plus (with Email)

Free Business PSB

Free Business PSB Plus (with Email)

PSB demo

Social PSB demo

Business PSB demo

So what's all this PSB stuff about?

Chart comparing business status boards

PSB hosting diagram

PSB Licence Agreement

Copyright © 2002 -
MCS Investments, Inc. sitemap

PSBs, social networking, social evolution, microcommunities, personal status boards
PSBs, social networking, business personal status boards
website design, ecommerce solutions
website menus, buttons, image rotators
Ez-Architect, home design software
the magic carpet and the cement wall, children's adventure book
the squirrel valley railroad, model railroad videos, model train dvds
the deep rock railroad, model railroad videos, model train dvds

HTML Form Creator—Login to Profile and Account Management CMS

This script is called login_.php

The HTML Form Creator—Login to Profile and Account Management CMS script is one of a group of PHP scripts that handle both the administrative and end-user aspects of a general purpose HTML Form Creator that allows not just input boxes but multiple selection enabled select/option lists as well. In addition to the expectable editing scripts for both administrative and end-user functions, there's also a Search and Match script so that users can use the scripts to find other users with various individual or group commonalities, including proximity searches, i.e., find all the users within various distances. There are even private messaging scripts.

The purpose of this script is to provide a way in which the user can be logged in to our HTML Form Creator apps. This is needed for either interfacing with the user membership MySQL table or interfacing with the record the user creates by using the administrator-created HTML form creator form. Note that the 3 administrator files are not for the user and not to be seen, found, or accessed by any user. These are strictly for the administrator who creates the HTML form, and they need to be kept and used in private folders protected by htaccess-based password and username access, which can easily be done from the cPanel X control panel on the server.

First, we start up a session. Then we stick the session id into a session variable which we will be checking for on every one of our HTML form creator apps, to see if it is set, which indicates a login. Then we define a named constant '_NODIRECTACCESS'. We include the config.php file (in the includes folder) which uses the PHP defined() function to check on this constant. If it is not set, we are thrown out of the config.php file like yesterday's trash.

There's a JavaScript script now that has input validation scripts for passwords and user names. We use both JavaScript and PHP validation to filter input from the user since the cardinal rule for user input is: NEVER TRUST IT. If you want to trust it, simply ensure that it will be safe for putting into your MySQL tables as well as displaying on your web pages. By far the best method here is to use the JavaScript for the users' benefit and the PHP for security. If JavaScript is turned off (in which case our scripts won't even work), the PHP validation scripts are your last line of defense to keep things safe. On the other hand, the JavaScript allows the user to get a user-friendly response to unacceptable or wrong input in fields. Rather than making the user restart the form when he goofs, good JavaScript validation scripts use the focus() method to put the cursor back on the field where the goof occurred as well as alerting the user to his error. PHP-only validation forces form restart, which is maddening to users.

We use /^[A-Za-z0-9!@#$%^&*()_]{6,20}$/ types of regular expressions to force the data to conform to the needs of the data fields, with the first part showing the acceptable characters and the second part forcing the length—in this case—to be 6 to 20 characters.

We now turn to the PHP section. First we grab all POSTed data that gets sent to the page after the submit button is clicked. Note that we stick the username into a session variable. There is a captcha in the form and the user must give the correct answer to be logged. The correct answer will be figured in a different PHP script (more on that later) and stuck into the a__________a session variable. When the form is submitted, we check the answer the user gives against this a__________a variable and if it is incorrect, the user sees "Wrong captcha answer. Please try again." and is made to restart the login process. The captchas are all simple: adding or substracting a 1-digit number to/from a 2-digit number.

If the user gets it right, the username they entered is checked for in the db table. If such a name already exists, the user is allowed to continue the login process. If the user is silly enough to disable JavaScript, the PHP will still force the data to be within certain length parameters. Too long data gets trimmed off and too short data causes an alert and the user is made to restart the login process. If the username does not exist, the PHP program will say so and the user will see "This user name does not exist. Please try again." and he is made to restart the login process.

The very standard PHP username and password validators take standard data but not unusual data. So the password filter allows !@#$%^&*()_ and alphanumeric data but that's it. Input will be turned into a hash soon enough. Disallowed characters are replaced with an empty string by the preg_replace() function. We also filtered out tags someone may try to sneak in, by use of the strip_tags() function.

Next we get the random-alphanumeric-character-laden salt (in $o) from the db table as well as the hash (in $pw). Then we use the salt and the entered password in $P to create the hash. We compare this with the db hash. If they do not match, the user sees "Sorry, username/password combination is wrong." and the user is made to restart the login process.

The password does not go into the db like the hash and salt do, so if anyone asks for theirs like in HTML Form Creator—Forgot Password, we simply create a random string and email it to them and say "here's your new password." Few companies allow storing of passwords—it's dumb.

If the login is successful, we stick the user's id in a session variable because in the private messaging aspects of our system it will be used to identify who sends and/or receives what message. People are allowed to change both group names and user names, but never IDs, so the messages will still be dealt with all right even if everyone changes group names and user names. We also stick the user's groupname in a session variable.

If the goofup flag ($N is 1) is set or the submit has not occurred ($Entry is 0), the login form is displayed. The form itself is pretty standard stuff. It has maxlength attributes to keep lengths limited and it uses an onsubmit event to run the JavaScript validator. But the form also uses a captcha. We used the official captcha method in our Personal Status Board (PSB™) scripts, but designed a less cumbersome method for our HTML Form Creator login script.

Take a gander at the captcha code: <IMG SRC="captcha-with-sessions.php" alt='captcha'>. A pretty strange type of image, to be sure! Browsers do NOT mind PHP scripts sitting in for PNG, BMP, GIF, or JPG images, believe it or not. The message "If you see no Captcha, disable your ad blocker" is displayed near the captcha because ad blockers with strong settings may knock the captcha out of the form. But Pop-up Blockers do not molest our captcha since it is NOT a pop-up. It's a random PNG image created using functions from the GD library, which is in all recent PHP versions. (To use the recommended bundled version of the GD library, which was first bundled in PHP 4.3.0, get your server hosts to use the configure option "--with-gd". Most already do this.)

The captcha image uses the font Holisb__.ttf, which is the Holiday Springs BTN True Type Font (get at MyFonts.com), but you may use other types if you wish. If you find arial.ttf in your C:\WINDOWS\Fonts\ directory on your computer, make sure it is in your folder with your PHP scripts on your server. Holisb__.ttf does a much cooler job, and will be harder for any automatic spambot script to read (and get the right answer for the arithmetic problem). For the captcha script, go to: HTML Form Creator—Captcha Script for Registration and Login.

The script below is called: login_.php

$_SESSION['sessionid'] = session_id();



<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">
<TITLE>Login to HTML Form Creator</TITLE>
<meta name="description" content="Login to HTML Form Creator">
<meta name="keywords" content="Login to HTML Form Creator,match,search,login Script,login,php,javascript, dhtml, DHTML">
<style type="text/css">
BODY {margin-left:0; margin-right:0; margin-top:0;text-align:left}
p, li {font:13px Verdana; color:black;text-align:left}
h1 {font:bold 28px Verdana; color:black;text-align:center}
h2 {font:bold 24px Verdana;text-align:center}
h3 {font:bold 15px Verdana;}
.k {text-align:right}
.j {position:absolute;top:50px;left:50%;margin-left:-300px;width:600px}
#myform {position:absolute;top:145px;left:50%;margin-left:-225px;width:450px;border:2px solid black;background-color:#8aa;}
#links {position:absolute;top:210px;left:82%;width:160px}
#t {width:410px;padding:9px;margin-top:-25px}
<script language="javascript">

function validatepassword(){

var ck_password = /^[A-Za-z0-9!@#$%^&*()_]{6,20}$/;
if (document.formpw.password.value.search(ck_password)==-1)
{alert("Please enter 6 to 20 letters, numbers and these for password: !@#$%^&*()_");document.formpw.password.focus();return false;}

var ck_username = /^[A-Za-z0-9_]{6,20}$/;
if (document.formpw.username.value.search(ck_username)==-1)
{alert("Please only enter 6 to 20 letters, numbers and underline for user name.");document.formpw.username.focus();return false}

return true;}




$_SESSION['username'] = $U;

if($Entry==1 && $A<>$_SESSION['a__________a']){$N=1;unset($U);echo '<script language="javascript">alert("Wrong captcha answer. Please try again.");window.location="login_.php";</script>;';


if (strlen($U)<6) {$N=1;unset($U);echo '<script language="javascript">alert("Please enter 6 to 20 characters for user name."); window.location = "login_.php"; </script>';
if (strlen($P)<6) {$N=1;unset($U);echo '<script language="javascript">alert("Please enter 6 to 20 characters for password."); window.location = "login_.php"; </script>';
$pattern3 = '/[^a-zA-Z0-9\\_]/i';
$pattern4 = '/[^A-Za-z0-9\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\_]/i';
$replacement = '';
$U=preg_replace($pattern3, $replacement, $U);
$P=preg_replace($pattern4, $replacement, $P);

$check_user_data = mysql_query("SELECT * FROM my_members WHERE username = '$U' LIMIT 1") or die(mysql_error());

if(mysql_num_rows($check_user_data) == 0)
{$N=1;unset($U);echo '<script language="javascript">alert("This user name does not exist. Please try again.");window.location="login_.php";</script>;';

$get_user_data = mysql_fetch_array($check_user_data);
$_SESSION['groupname'] = $G;
$_SESSION['userid'] = $id;

echo '<script language="javascript">alert("Sorry, username/password combination is wrong."); window.location="login_.php";</script>';}


if($N==1||$Entry==0){ ?>

<center><h1>Login to HTML Form Creator</h1><div id='t'></div></center>

<div id='myform'><BR><center><h3>Login</h3></center><table id='t' border='0' cellspacing=0 cellpadding=2>
<form id='formpw' name="formpw" method="post" action="login_.php" onsubmit="return validatepassword()">
<tr><td class='k'><label for="User Name"><b>User Name: </b></td><td><input type="text" name="username" size="20" maxlength="20" value=""></label></td></tr>
<tr><td class='k'><label for="Password"><b>Password: </b></td><td><input type="password" name="password" size="20" maxlength="20" value=""></label></td></tr>
<tr><td class='k'><input type="hidden" name="entry" value="1">
&nbsp;</td><td><IMG SRC="captcha-with-sessions.php" alt='captcha'>
<tr><td class='k'><label for="Captcha answer"><b>Captcha answer: </b></td><td><input type="text" name="answer" size="20" maxlength="20" value=""></label></td></tr>
<tr><td align=left colspan=2>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;If you see no Captcha, disable your ad blocker.</td></tr>
<tr><td class='k'>&nbsp;</td><td><BR><input type="submit" value="Submit">
<input type="reset" value="Reset"></td></tr></form></table><BR>

<div id='links'><BR>
<a HREF="register-with-captcha_.php">Register</a><BR>
<a HREF="http://www.css-resources.com/">Home</a><BR>
<a href="http://www.css-resources.com/contact.html">Contact us</a><BR>
<a href='forgot-password.php'>I forgot my password</a><BR>
<a HREF='forgot-user-name.php'>I forgot my user name</a><BR>


<form name="MyForm" method="POST" action="profile-and-account-management.php">
<input type="hidden" name="username" value=" ">


<script language="javascript">
var u = <?php echo json_encode($U); ?>;